# Make temporary GPG home directory
homedir=$(mktemp -d /tmp/gpg.XXXXXX)
+ # in case a previous gpg invocation failed in some weird way
+ # and left behind a zero length gpg key (pub or priv).
+ if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
+ rm -f $PLC_ROOT_GPG_KEY_PUB
+ fi
+ if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
+ rm -f $PLC_ROOT_GPG_KEY
+ fi
+
if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
# Generate new GPG keyring
MESSAGE=$"Generating GPG keys"
# Temporarily replace /dev/random with /dev/urandom to
# avoid running out of entropy.
rm -f /dev/random
+ # 1 9 is /dev/urandom
mknod /dev/random c 1 9
+ # sometimes mknod fails within an improperly setup vserver
+ check
gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
--gen-key <<EOF
Key-Type: DSA
)
IFS=$OLDIFS
- # Add a new UID if appropriate. GPG will detect and merge duplicates.
- gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
- --no-default-keyring \
- --secret-keyring=$PLC_ROOT_GPG_KEY \
- --keyring=$PLC_ROOT_GPG_KEY_PUB \
- --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
+
+ # Add a new UID if appropriate. GPG (v1) will detect and
+ # merge duplicates but this is considered as a bug in GPG2
+ # and we need to check for existence.
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --list-keys \
+ --no-default-keyring \
+ --secret-keyring=/etc/planetlab/secring.gpg \
+ --keyring=/etc/planetlab/pubring.gpg \
+ | grep "$PLC_NAME Central" \
+ | grep "$PLC_MAIL_SUPPORT_ADDRESS" \
+ | grep "http://$PLC_WWW_HOST/"
+
+ if [ $? -ne 0 ]; then
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --no-default-keyring \
+ --secret-keyring=$PLC_ROOT_GPG_KEY \
+ --keyring=$PLC_ROOT_GPG_KEY_PUB \
+ --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
adduid
$PLC_NAME Central
$PLC_MAIL_SUPPORT_ADDRESS
save
EOF
check
+ fi
+
fi
# Install the key in the RPM database
rpm --allmatches -e gpg-pubkey
check
fi
- rpm --import /etc/pki/rpm-gpg/*
+ # starting with rpm-4.6, this fails when run a second time
+ # it would be complex to do this properly based on the filename,
+ # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
+ # see also http://fedoranews.org/tchung/gpg/
+ # so just ignore the result
+ rpm --import /etc/pki/rpm-gpg/* || :
check
# Make GPG key readable by apache so that the API can sign peer requests